When do we fix the problem?

So, with the increase in internet crime we seem to keep hearing about over, and over, and over again in security news publications, the attackers have really ramped up their sophistication. The information security game has radically changed and it sounds like the good guys are losing. This article in PC World talks about new malware techniques for evading detection.

The bad guys are testing their code against anti-virus engines to ensure they aren't detectable. This technique is mentioned along with numerous other depressing techniques used by the cybercrime underground in this report by Peter Gutmann.

For years we've been patching to address shoddy programming, installing anti-virus updates and then anti-spyware, we've used firewalls to hide gobs of insecure servers, and so on. Not that any of this works all that well for the average user (or we wouldn't have so many botnet members falling in home user IP space). It burns up a lot of time in the corporate world.

I don't think we can keep ignoring the underlying, fundamental problems in computer security for much longer. We need something for the disease not the symptoms. At some point the pain will get large enough to pass it on to the software vendors. Perhaps there will actually come a time that users would rather be secure than get the next greatest feature. Or am I being too optimistic again?